teach/adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity

Backup tuto3

Browse Source
This commit is contained in:
nemunaire 2019-03-10 19:32:38 +01:00 committed by Pierre-Olivier Mercier
parent 9262917553
commit 43b5f7ba94
9 changed files with 525 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -12,4 +12,9 @@ tuto2-initrd.img
tuto2.iso tuto2.iso
tuto2-kernel tuto2-kernel
tuto2-state/ tuto2-state/
tuto3-cmdline
tuto3-initrd.img
tuto3.iso
tuto3-kernel
tuto3-state/
fonts/ fonts/

20
pkg/debian-tuto3/Dockerfile Normal file
View File

@ -0,0 +1,20 @@
FROM debian
RUN apt-get update && apt-get install --no-install-recommends -y \
busybox \
console-data \
curl \
dnsutils \
kbd \
nano \
iptables \
nftables \
openssh-server \
python \
ssmtp \
systemd-sysv \
udev \
vim.tiny \
&& rm -rf /var/lib/apt/lists/*
COPY sshd_config /etc/ssh/sshd_config

1
pkg/debian-tuto3/build.yml Normal file
View File

@ -0,0 +1 @@
image: adlin-tuto3

12
pkg/debian-tuto3/issue Normal file
View File

@ -0,0 +1,12 @@
 .o. .o8 ooooo o8o
 .888. "888 `888' `"'
 .8"888. .oooo888  888 oooo ooo. .oo.
 .8' `888. d88' `888  888 `888 `888P"Y88b
 .88ooo8888. 888 888  888 888 888 888
 .8' `888. 888 888  888 o 888 888 888
 o88o o8888o `Y8bod88P" o888ooooood8 o888o o888o o888o

Debian GNU/Linux 9 \n \l
IPv4: \4

104
pkg/debian-tuto3/sshd_config Normal file
View File

@ -0,0 +1,104 @@
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100

10
pkg/postfix/Dockerfile Normal file
View File

@ -0,0 +1,10 @@
FROM alpine:3.7
MAINTAINER Pierre-Olivier Mercier <nemunaire@nemunai.re>
RUN apk add --no-cache postfix
EXPOSE 25
CMD ["/usr/sbin/postfix", "-d"]
LABEL org.mobyproject.config='{"binds": ["/etc/resolv.conf:/etc/resolv.conf"], "capabilities": ["CAP_NET_BIND_SERVICE"]}'

1
pkg/postfix/build.yml Normal file
View File

@ -0,0 +1 @@
image: postfix

13
pkg/postfix/docker-entrypoint.sh Executable file
View File

@ -0,0 +1,13 @@
#!/bin/sh
set -e
if [ `which unbound-$1 2>/dev/null` ]; then
set -- unbound-"$@"
elif [ ! `which $1 2>/dev/null` ]; then
set -- unbound -dv "$@"
fi
unbound-anchor
exec "$@"

359
tuto3.yml Normal file
View File

@ -0,0 +1,359 @@
kernel:
image: linuxkit/kernel:4.14.27
cmdline: "console=tty0"
init:
- linuxkit/init:b212cfeb4bb6330e0a7547d8010fe2e8489b677a
- linuxkit/runc:7c39a68490a12cde830e1922f171c451fb08e731
- linuxkit/containerd:37e397ebfc6bd5d8e18695b121166ffd0cbfd9f0
- linuxkit/ca-certificates:v0.2
- linuxkit/getty:v0.2
onboot:
- name: sysctl
image: linuxkit/sysctl:v0.2
binds:
- /etc/sysctl.d/:/etc/sysctl.d/:ro
# Network: external
- name: dhcpcd
image: linuxkit/dhcpcd:v0.2
command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
net: new
runtime:
interfaces:
- name: eth0
bindNS:
net: /run/netns/router
# Network: workstations
- name: net-wks-setup
image: linuxkit/ip:v0.2
command: ["/bin/sh", "-c", "ip a add 192.168.6.254/24 dev ethwks; ip link set ethwks up;" ]
net: /run/netns/router
runtime:
interfaces:
- name: ethwks
add: veth
peer: veth-wks
# Network: servers
- name: net-srv-setup
image: linuxkit/ip:v0.2
command: ["/bin/sh", "-c", "ip a add 172.23.42.1/24 dev ethsrv; ip link set ethsrv up;" ]
net: /run/netns/router
runtime:
interfaces:
- name: ethsrv
add: veth
peer: veth-srv
- name: net-srvns-setup
image: linuxkit/ip:v0.2
command: ["/bin/sh", "-c", "ip a add 172.23.42.2/24 dev vethin-ns; ip link set vethin-ns up; ip route add default via 172.23.42.1;" ]
net: new
runtime:
interfaces:
- name: vethin-ns
add: veth
peer: veth-ns
bindNS:
net: /run/netns/ns
# - name: net-srvmail-setup
# image: linuxkit/ip:v0.2
# command: ["/bin/sh", "-c", "ip a add 172.23.42.3/24 dev vethin-mail; ip link set vethin-mail up; ip route add default via 172.23.42.1;" ]
# net: new
# runtime:
# interfaces:
# - name: vethin-mail
# add: veth
# peer: veth-mail
# bindNS:
# net: /run/netns/mail
- name: net-srvdb-setup
image: linuxkit/ip:v0.2
command: ["/bin/sh", "-c", "ip a add 172.23.42.4/24 dev vethin-db; ip link set vethin-db up; ip route add default via 172.23.42.1;" ]
net: new
runtime:
interfaces:
- name: vethin-db
add: veth
peer: veth-db
bindNS:
net: /run/netns/db
- name: net-srvchat-setup
image: linuxkit/ip:v0.2
command: ["/bin/sh", "-c", "ip a add 172.23.42.5/24 dev vethin-chat; ip link set vethin-chat up; ip route add default via 172.23.42.1;" ]
net: new
runtime:
interfaces:
- name: vethin-chat
add: veth
peer: veth-chat
bindNS:
net: /run/netns/chat
- name: net-srvttrss-setup
image: linuxkit/ip:v0.2
command: ["/bin/sh", "-c", "ip a add 172.23.42.6/24 dev vethin-ttrss; ip link set vethin-ttrss up; ip route add default via 172.23.42.1;" ]
net: new
runtime:
interfaces:
- name: vethin-ttrss
add: veth
peer: veth-ttrss
bindNS:
net: /run/netns/ttrss
# Network: bridges
- name: bridges-setup
image: linuxkit/ip:v0.2
command: ["/bin/sh", "-c", "ip link set veth-srv master brsrv; ip link set veth-ns master brsrv; ip link set veth-mail master brsrv; ip link set veth-db master brsrv; ip link set veth-chat master brsrv; ip link set veth-ttrss master brsrv; ip link set veth-srv up; ip link set veth-ns up; ip link set veth-mail up; ip link set veth-db up; ip link set veth-chat up; ip link set veth-ttrss up; ip link set brsrv up; ip link set veth-wks master brwks; ip link set veth-wks1 master brwks; ip link set veth-wks2 master brwks; ip link set veth-wks up; ip link set veth-wks1 up; ip link set veth-wks2 up; ip link set brwks up;" ]
runtime:
interfaces:
- name: brsrv
add: bridge
- name: brwks
add: bridge
services:
- name: dhcpcd-wks1
image: linuxkit/dhcpcd:v0.2
net: new
runtime:
interfaces:
- name: eth1
- name: ethwks1
add: veth
peer: veth-wks1
bindNS:
net: /run/netns/wks1
- name: dhcpcd-wks2
image: linuxkit/dhcpcd:v0.2
net: new
runtime:
interfaces:
- name: ethwks2
add: veth
peer: veth-wks2
bindNS:
net: /run/netns/wks2
- name: sshd-wks1
image: linuxkit/sshd:v0.2
net: /run/netns/wks1
binds:
- /etc/dpasswd:/etc/passwd
- /etc/dshadow:/etc/shadow
- name: sshd-wks2
image: linuxkit/sshd:v0.2
net: /run/netns/wks2
binds:
- /etc/dpasswd:/etc/passwd
- /etc/dshadow:/etc/shadow
- name: router
image: nemunaire/adlin-tuto3:0fa628c796ff914e9a0f160c27a79a30092868e3-dirty
net: /run/netns/router
command: ["/bin/sh", "-c", "mkdir -p /run/sshd && exec /usr/sbin/sshd -D"]
capabilities:
- all
binds:
- /etc/dresolv.conf:/etc/resolv.conf
- /etc/dpasswd:/etc/passwd
- /etc/dshadow:/etc/shadow
- name: ns
image: nemunaire/unbound:528445043685979b1b479c6c44d68de36bc872ad
net: /run/netns/ns
capabilities:
- all
binds:
- /etc/unbound:/etc/unbound:ro
- name: db
image: postgres:alpine
net: /run/netns/db
capabilities:
- all
command: ["/docker-entrypoint.sh", "postgres"]
env:
- LANG=en_US.utf8
- PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/"
- PGDATA=/var/lib/postgresql/data
- POSTGRES_PASSWORD=adlin2019
binds:
- /initdb/init-ttrss.sh:/docker-entrypoint-initdb.d/init-ttrss.sh:ro
- /initdb/init-mattermost.sh:/docker-entrypoint-initdb.d/init-mattermost.sh:ro
- name: chat
image: nemunaire/mattermost:ecb81e668c64d07b4453f9b465a6998fc6ceb067-dirty
net: /run/netns/chat
capabilities:
- all
command: ["/entrypoint.sh", "/mattermost/bin/platform"]
env:
- MM_USERNAME=mattermost
- MM_DBNAME=mattermost
- MM_PASSWORD=adlin2019
binds:
- /etc/hosts:/etc/hosts:ro
- name: ttrss
image: nemunaire/ttrss:89149d186daf3ebf752a764807dee3180f46b93d-dirty
net: /run/netns/ttrss
capabilities:
- all
command: ["/usr/bin/ttrss_entrypoint.sh", "/sbin/start_ttrss"]
env:
- TTRSS_PORT=80
- TTRSS_DB_TYPE=pgsql
- TTRSS_DB_HOST=db
- TTRSS_DB_PORT=5432
- TTRSS_DB_NAME=ttrss
- TTRSS_DB_USER=ttrss
- TTRSS_DB_PASS=adlin2019
- TTRSS_SELF_URL_PATH=http://localhost/
binds:
- /etc/hosts:/etc/hosts:ro
files:
- path: etc/hosts
contents: |
127.0.0.1 localhost
::1 localhost
172.23.42.4 db
mode: "0444"
- path: /initdb/init-ttrss.sh
contents: |
#!/bin/sh
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE USER ttrss WITH PASSWORD 'adlin2019';
CREATE DATABASE ttrss;
GRANT ALL PRIVILEGES ON DATABASE ttrss TO ttrss;
EOSQL
mode: "0555"
- path: /initdb/init-mattermost.sh
contents: |
#!/bin/sh
set -e
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
CREATE USER mattermost WITH PASSWORD 'adlin2019';
CREATE DATABASE mattermost;
GRANT ALL PRIVILEGES ON DATABASE mattermost TO mattermost;
EOSQL
mode: "0555"
- path: /etc/init.d/500-showip.sh
contents: |
#!/bin/sh
nsenter -n/run/netns/router ip a show dev eth0
nsenter -n/run/netns/wks1 ip a show dev eth1
exit 0
mode: "0555"
- path: /etc/init.d/999-getty.sh
contents: |
#!/bin/sh
while true
do
/usr/bin/setsid /usr/bin/nsenter -t $(echo $(ps a | grep sshd | head -1) | cut -d ' ' -f 1) -m -u -i -n -p -- /sbin/agetty -l /sbin/login 38400 tty1 linux
sleep 1
done &
mode: "0555"
- path: etc/unbound/unbound.conf
contents: |
server:
verbosity: 1
interface: 0.0.0.0
interface: ::0
prefer-ip6: no
access-control: 172.23.0.0/16 allow
access-control: 192.168.0.0/16 allow
log-queries: yes
log-replies: yes
use-syslog: no
hide-identity: yes
hide-version: yes
qname-minimisation: yes
domain-insecure: "."
val-permissive-mode: yes
trust-anchor-file: "/usr/share/dnssec-root/trusted-key.key"
local-zone: "adlin.nemunai.re" typetransparent
local-data: "news.adlin.nemunai.re A 172.23.42.1"
local-data: "im.adlin.nemunai.re A 172.23.42.1"
remote-control:
control-enable: no
forward-zone:
name: "."
forward-addr: 9.9.9.9
mode: "0440"
- path: etc/dpasswd
contents: |
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/bin/false
messagebus:x:101:102::/var/run/dbus:/bin/false
sshd:x:102:65534::/run/sshd:/usr/sbin/nologin
systemd-timesync:x:103:105:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:104:106:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:105:107:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:106:108:systemd Bus Proxy,,,:/run/systemd:/bin/false
mode: "0644"
- path: etc/dshadow
contents: |
root:$6$fCh6fLfB$wTiBuIJB2/QLl37VlJ16MsqGmfSDct8ALRpY8kemFC2T4N4eZgdlTnEqTuYn5i4FMc5GoDBx1nfENHQqm0Zgm.:17594:0:99999:7:::
daemon:*:17575:0:99999:7:::
bin:*:17575:0:99999:7:::
sys:*:17575:0:99999:7:::
sync:*:17575:0:99999:7:::
games:*:17575:0:99999:7:::
man:*:17575:0:99999:7:::
lp:*:17575:0:99999:7:::
mail:*:17575:0:99999:7:::
news:*:17575:0:99999:7:::
uucp:*:17575:0:99999:7:::
proxy:*:17575:0:99999:7:::
www-data:*:17575:0:99999:7:::
backup:*:17575:0:99999:7:::
list:*:17575:0:99999:7:::
irc:*:17575:0:99999:7:::
gnats:*:17575:0:99999:7:::
nobody:*:17575:0:99999:7:::
_apt:*:17575:0:99999:7:::
messagebus:*:17594:0:99999:7:::
sshd:*:17594:0:99999:7:::
systemd-timesync:*:17594:0:99999:7:::
systemd-network:*:17594:0:99999:7:::
systemd-resolve:*:17594:0:99999:7:::
systemd-bus-proxy:*:17594:0:99999:7:::
mode: "0640"
- path: etc/dresolv.conf
contents: |
nameserver 172.23.42.2
mode: "0644"
trust:
org:
- linuxkit
- library